This article is more than 1 year old
Autocomplete a novel phishing hole for Chrome, Safari crims
Hidden forms capture LastPass autofill
Phishers have a new tool in their arsenal with the discovery that web browsers Chrome and Safari along with LastPass will autofill hidden registration form fields.
Finnish web developer Viljami Kuosmanen discovered the flaws affecting the world's most popular browser, along with Apple's offering.
The attack vector is manifest when victims select autofill while filling out registration forms: attackers hide sensitive fields like street address, date of birth, and phone number, displaying only basic entry boxes like name and email.
Users who type the start of their names will generate a prompt that when selected will throw an option to fill out their complete details. If clicked on a phishing site Kuosmanen describes, a user's sensitive information will be entered into boxes the user cannot see.
Kuosmanen tweeted a gif of the attack in action to inform the security community of the novel attack vector.
Users can test their browser and extension autofill using his proof of concept site.
He told Bleeping Computer that Safari did a better job than Chrome at informing users of the fields that would be entered, but was still susceptible.
Mozilla engineer Daneil Veditz says Mozilla is not vulnerable to the attack vector since it does not autocomplete forms and forces users to manually select prefill data for each box.
This is why I don't like autofill in web forms. #phishing #security #infosec pic.twitter.com/mVIZD2RpJ3
— Viljami Kuosmanen ⭐ (@anttiviljami) January 4, 2017
It is on the cards as a pending feature, however.
The Register has found popular cloud security vault LastPass will autocomplete hidden forms when selected by users. The company has been notified.
Autofilling credit card and financial data forms will trigger additional prompts and extra warnings on Chrome when sites do not offer HTTPS. ®